Using Public-Key Authentication from z/OS Client
All commands in this section are shown using the SSH Tectia z/OS client.
Server-side configuration can also be done by logging in to the remote
server and entering the commands locally.
To set up user public-key authentication from a z/OS Client, do the
following steps:
- Create a key pair by executing
ssh-keygen2 on the z/OS client
host.
By default, ssh-keygen2 creates a 2048-bit DSA key pair. RSA
keys can be generated by specifying the -t rsa option. Key length
can be specified with the -b option. For non-interactive use,
the key can be generated without a passphrase with the -P option.
> /usr/lpp/ssh2/bin/ssh-keygen2 -t rsa -b 1024 -P $HOME/.ssh2/mf_key
Generating 1024-bit rsa key pair
2 oOo.oOo.oOo.
Key generated.
1024-bit rsa, TESTUSER@ZOS, Tue Jul 11 2006 01:45:06 -0600
Private key saved to /u/TESTUSER/.ssh2/mf_key
Public key saved to /u/TESTUSER/.ssh2/mf_key.pub
|
If the -P option is not used, ssh-keygen2 asks for a
passphrase for the new key.
ssh-keygen2 stores your new authentication key pair in two separate
files. One of the keys is your private key which must never be made
available to anyone but yourself.
In the example above, the private key file is mf_key. The other file
mf_key.pub is your public key, which can be distributed to other
computers.
For more information on the ssh-keygen2 options, see the
ssh-keygen2 man page (Appendix ssh-keygen2).
- Create an
identification file in your $HOME/.ssh2
directory on the z/OS Client, for example:
> cd $HOME/.ssh2
> echo "IdKey mf_key" >> identification
> cat identification
IdKey mf_key
|
You now have an identification file that
consists of one line that denotes the file containing your
identification (your private key). For special applications,
you can create multiple identifications by executing
ssh-keygen2 again. However, this is not usually needed.
- Create a
.ssh2 or .ssh directory on Server
(if it does not exist already).
- If the remote host is running SSH Tectia Server on Unix or z/OS :
$ ssh2 testuser@tectia_server mkdir .ssh2
- If the remote host is running SSH Tectia Server on Windows:
$ ssh2 testuser@tectia_win_server "cmd /c mkdir .ssh2"
- If the remote host is running OpenSSH on Unix or z/OS:
$ ssh2 testuser@openssh_server mkdir .ssh
- Copy your public key to Server.
- Keys created with z/OS
ssh-keygen2 are stored in the
EBCDIC format. When the public key is transferred to a Unix or Windows
server, it must be converted to the ASCII format.
$ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/mf_key.pub \
testuser@tectia_server:.ssh2/
or
$ scp2 /ftadv:C=ISO8859-1,D=IBM-1047,X=TEXT/mf_key.pub \
testuser@Openssh_server:.ssh/
- If public-key authentication is configured between mainframe
servers, conversion is not needed. To ensure that key stays in EBCDIC
format, binary file transfer should be used.
$ scp2 /ftadv:X=BIN/mf_key.pub
testuser@tectia_server:/ftadv:X=BIN/.ssh2/
or
$ scp2 /ftadv:X=BIN/mf_key.pub testuser@openssh_server:.ssh
- Create an
authorizationauthorized_keys
- If the remote host is running SSH Tectia Server, the key entry needs to be added
to authorization file.
$ ssh2 testuser@tectia_unix_server "echo Key mf_key.pub >> \
.ssh2/authorization"
or
$ ssh2 testuser@tectia_win_server "cmd /c echo Key mf_key.pub >> \
.ssh2/authorization"
- If the remote host is running OpenSSH, the key has to be converted to
the OpenSSH key format and concatenated to the
authorized_keys file.
$ ssh2 testuser@open_server "ssh-keygen -i -f .ssh/mf_key.pub >> \
.ssh/authorized_keys"
- Make sure the
AllowedAuthentications keyword in the
/etc/ssh2/ssh2_config (or $HOME/.ssh2/ssh2_config)
file on the z/OS client contains the argument publickey:
AllowedAuthentications publickey
|
Other authentication methods can be listed in the configuration file as
well.
Using Keys Generated with OpenSSH
SSH Tectia Server for IBM z/OS can use keys generated with OpenSSH. The OpenSSH keys can be
configured the same way as described above in steps 2-5 for keys
generated with ssh-keygen2.
As an alternative to step 2, OpenSSH private keys can be specified
using the IdentityKeyFile option in the ssh2_config
file or with the -K option on the command line.
If the user has an existing OpenSSH authorized_keys file on the
server, the ssh-keygen2 tool can be used to import the OpenSSH
authorized_keys file and to configure the
authorization file, for example:
SERVER> ssh-keygen2 --import-ssh1-authorized-key
$HOME/.ssh/authorized_keys $HOME/.ssh2/authorization
Imported key /home/user/.ssh/authorized_keys:1 to
/home/user/imported-437b1a07-1.pub and added to authorization file
/home/user/.ssh2/authorization
Imported key /home/user/.ssh/authorized_keys:2 to
/home/user/imported-437b1a07-2.pub and added to authorization file
/home/user/.ssh2/authorization
|
For more information on the ssh-keygen2 options, see the
ssh-keygen2 man page (Appendix ssh-keygen2).
Alternatively, the administrator of SSH Tectia Server may enable
AuthorizedKeysFile in the server configuration file
/etc/ssh2/sshd2_config, for example as follows:
AuthorizedKeysFile %D/.ssh/authorized_keys
SSH Tectia Server will check the defined AuthorizedKeysFile in addition to
the user's AuthorizationFile (by default authorization).
Note that the AuthorizationFile has precedence over
AuthorizedKeysFile if the same key is defined in both.
Keys Generated with ssh-keygen1
SSH Tectia Server for IBM z/OS enables the use of keys generated with
ssh-keygen1
$ ssh-keygen2 -1 <keyname>.pub
Successfully converted public key to <keyname>.pub_ssh2
$ ssh-keygen2 -1 <keyname>
Passphrase :
Successfully converted private key to <keyname>_ssh2
